-
-
Notifications
You must be signed in to change notification settings - Fork 4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Migrate to Spring Security 6's @EnableWebSocketSecurity
#20404
Comments
This issue is stale because it has been open for too long without any activity. |
Keep it open. |
Is there a workaround for this that does not involve using the deprecated |
This issue is stale because it has been open for too long without any activity. |
FYI: @mdmm13 Hi, I found an issue showing a workaround. spring-projects/spring-security#12378 (comment) and spring-projects/spring-security#13640 |
Overview of the issue
Spring Security 6 introduces an
@EnableWebSocketSecurity
annotation to replace the deprecatedAbstractSecurityWebSocketMessageBrokerConfigurer
.However, this annotation does not provide a way to disable CSRF for websockets.
From https://docs.spring.io/spring-security/reference/6.0/servlet/integrations/websocket.html:
Motivation for or Use Case
We should not use deprecated classes where possible.
Reproduce the error
Generate an app with websockets and you'll see that
WebsocketSecurityConfiguration
extends a deprecated class. It'd be good to rename ourWebsocket
classes to beWebSocket
to be inline with Spring Security. However, it might be a pain for upgrading, so leaving the names as-is might be a good idea.Related issues
The text was updated successfully, but these errors were encountered: